removed express and app cve remediations for focus on the dhi value more

GannaChernyshova · GannaChernyshova · commit c9de4245c18c · 2025-11-20T11:59:32.000-05:00
diff --git a/.labspace/01-introduction.md b/.labspace/01-introduction.md
@@ -2,6 +2,10 @@
 
 👋 Welcome to the **Docker Hardened Images** lab! This lab outlines the benefits of Docker Hardened Images and walks you through the migration process for the Node application.
 
+## First thing to get started, please provide your Docker org name
+
+::variableDefinition[orgname]{prompt="What is your Docker org name?"}
+
 ## Docker Hardened Images are Secure, Minimal, Production-Ready Images with near-zero CVEs and enterprise-grade SLA for rapid remediation. 
 
 These images follow a distroless philosophy, removing unnecessary components to significantly reduce the attack surface. The result? Smaller images that pull faster, run leaner, and provide a secure-by-default foundation for production workloads:
diff --git a/.labspace/02-mirror-the-image.md b/.labspace/02-mirror-the-image.md
@@ -1,9 +1,5 @@
 # Getting started
 
-## First thing to get started, please provide your Docker org name
-
-::variableDefinition[orgname]{prompt="What is your Docker org name?"}
-
 ## 1. Mirror a DHI node image repo
 
 Go to the [Node DHI page](https://hub.docker.com/orgs/$$orgname$$/hardened-images/catalog/dhi/node) and click on the `Mirror to repository` button.
diff --git a/.labspace/03-image-scanning.md b/.labspace/03-image-scanning.md
@@ -2,7 +2,7 @@
 
 ## Exploring the app
 
-This demo repository contains a Hello World Node.js application consisting of a basic ExpressJS server and Dockerfile pointing to a Trixie (Debian 13) base image.
+This demo repository contains a Hello World Node.js application consisting of a basic JS server and Dockerfile pointing to a Trixie (Debian 13) base image.
 The app logic is implemented in the :fileLink[app.js]{path="app.js"} file. 
 
 
@@ -23,73 +23,40 @@ docker buildx build --provenance=true --sbom=true -t $$orgname$$/demo-node-doi:v
 ```
 
 2. Now that you have an image let's analyze it.
-Use the `docker scout cves` command to list all discovered vulnerabilities:
+Use the `docker scout quickview` command to list all discovered vulnerabilities and scout policies alignment:
 
 ```bash
-docker scout cves $$orgname$$/demo-node-doi:v1
-```
-
-After a moment, you will see details about each of the vulnerabilities discovered in the image with a similar summary.
-
-```plaintext no-copy-button
-34 vulnerabilities found in 17 packages
-  CRITICAL  0   
-  HIGH      6   
-  MEDIUM    2   
-  LOW       26 
-```
-
-A couple of things to note about this:
-
-- If you scroll up or search the `pkg:npm/express@4.17.1` - this part of the report is related to the NPM package named `express`, which has version 4.17.1. You should see that the greatest fix version is `4.20.0`
-- Another source of HIGH CVEs is a `path-to-regexp 0.1.7`. The `express` package uses it internally and the `path-to-regexp` library is updated to a fixed version in express version `4.21.2`.
-
-3. A next step for a typical developer is to clean up the package.json dependencies by upgrading the version of each dependency to solve for those vulnerabilities.
-
-Update `express` to the recommended (or latest) version by running the following command:
-
-```bash
-npm install express@4.21.2
-```
-
-4. Build your image again by running the following command:
-```bash
-docker buildx build --provenance=true --sbom=true -t $$orgname$$/demo-node-doi:v2 .
-```
-
-5. And run one more analysis on the image.
-You can now analyze the image with the `docker scout quickview` command:
-
-```bash
-docker scout quickview $$orgname$$/demo-node-doi:v2
+docker scout quickview $$orgname$$/demo-node-doi:v1
 ```
 You will see similar output:
 ```plaintext no-copy-button
-Target     │  $$orgname$$/demo-node-doi:v2       │    0C     1H     1M    22L   
-  digest   │  48bd36fe1f0b                       │                              
-Base image │  node:24.9.0-trixie-slim            │    0C     1H     1M    22L   
-
-Policy status  FAILED  (6/9 policies met)
-
-  Status │                     Policy                     │           Results            
-─────────┼────────────────────────────────────────────────┼──────────────────────────────
-  ✓      │ AGPL v3 licenses found                         │    0 packages                
-  !      │ No default non-root user found                 │                              
-  ✓      │ No AGPL v3 licenses                            │    0 packages                
-  ✓      │ No embedded secrets                            │    0 deviations              
-  ✓      │ No embedded secrets (Rego)                     │    0 deviations              
-  !      │ Fixable critical or high vulnerabilities found │    0C     1H     0M     0L   
-  ✓      │ No high-profile vulnerabilities                │    0C     0H     0M     0L   
-  !      │ Unapproved base images found                   │    1 deviation               
-  ✓      │ Supply chain attestations                      │    0 deviations        
+    i Base image was auto-detected. To get more accurate results, build images with max-mode provenance attestations.
+      Review docs.docker.com ↗ for more information.
+
+  Target     │  demonstrationorg/demo-node-doi:v1  │    0C     2H     1M    18L   
+    digest   │  66cb8da420d8                       │                              
+  Base image │  node:24-trixie-slim                │    0C     2H     1M    18L   
+
+Policy status  FAILED  (5/10 policies met, 1 missing data)
+
+  Status │                              Policy                              │           Results            
+─────────┼──────────────────────────────────────────────────────────────────┼──────────────────────────────
+  ✓      │ AGPL v3 licenses found                                           │    0 packages                
+  !      │ No default non-root user found                                   │                              
+  ✓      │ No AGPL v3 licenses                                              │    0 packages                
+  ✓      │ No embedded secrets                                              │    0 deviations              
+  ✓      │ No embedded secrets (Rego)                                       │    0 deviations              
+  !      │ Fixable critical or high vulnerabilities found                   │    0C     2H     0M     0L   
+  ✓      │ No high-profile vulnerabilities                                  │    0C     0H     0M     0L   
+  !      │ No unapproved base images                                        │    No data                   
+  ✓      │ Missing supply chain attestation(s)                              │    2 deviations                   
       
 ```
-
-Hooray! No more critical or high CVEs on the application level!
-But there are still a few on the base image level. And the critical policies have failed:
+As you can see, there are no CVEs at the application level, but the base image contains 2 high, 1 medium, and 18 low severity CVEs, so it is recommended to be updated. Additionally, the critical policies have failed:
 
     1. No default non-root user found
     2. Fixable critical or high vulnerabilities found
     3. Unapproved base images found
- This is where DHI comes into play.
+ 
+This is where DHI comes into play.
 
diff --git a/.labspace/04-switch-to-dhi.md b/.labspace/04-switch-to-dhi.md
@@ -51,31 +51,32 @@ Hooray! There are zero CVEs and policy violations now!
 
 Docker Scout offers a helpful command `docker scout compare` that allows you to analyze and compare two images. We’ll use it to evaluate the difference in size and package footprint between `node:24.9.0-trixie-slim` and `dhi-node:24.9.0-debian13` based images.
 ```bash
-docker scout compare local://$$orgname$$/demo-node-doi:v2 --to local://$$orgname$$/demo-node-dhi:v1
+docker scout compare local://$$orgname$$/demo-node-dhi:v1 --to local://$$orgname$$/demo-node-doi:v1
 ```
 You will see a similar summary in the output:
 ```plaintext no-copy-button
 ## Overview
   
                       │               Analyzed Image                │              Comparison Image                
   ────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────
-    Target            │  local://$$orgname$$/demo-node-doi:v2       │  local://$$orgname$$/demo-node-dhi:v1   
-      digest          │  75eb23bc5d85                               │  e7a47068ccfa                                
-      tag             │  v2                                         │  v1                                          
+    Target            │  local://demonstrationorg/demo-node-dhi:v1  │  local://demonstrationorg/demo-node-doi:v1   
+      digest          │  e5b9ec7a980c                               │  66cb8da420d8                                
+      tag             │  v1                                         │  v1                                          
       platform        │ linux/arm64                                 │ linux/arm64                                  
-      vulnerabilities │    0C     6H     2M    26L                  │    0C     0H     0M     8L                   
-                      │           +6     +2    +18                  │                                              
-      size            │ 100 MB (+41 MB)                             │ 59 MB                                        
-      packages        │ 901 (+248)                                  │ 653                                          
+      vulnerabilities │    0C     0H     0M     8L                  │    0C     2H     1M    18L                   
+                      │           -2     -1    -10                  │                                              
+      size            │ 59 MB (-41 MB)                              │ 100 MB                                       
+      packages        │ 648 (-248)                                  │ 896                                          
                       │                                             │                                              
-    Base image        │  node:24.9.0-trixie-slim                    │  $$orgname$$/dhi-node:24.9.0-debian13        
+    Base image        │  demonstrationorg/dhi-node-smontri:24       │  node:24-trixie-slim                         
       tags            │ also known as                               │ also known as                                
-                      │   • current-trixie-slim                     │                                              
-                      │   • trixie-slim                             │                                              
-      vulnerabilities │    0C     1H     1M    22L                  │    0C     0H     0M     0L      
+                      │                                             │   • current-trixie-slim                      
+                      │                                             │   • trixie-slim                              
+      vulnerabilities │    0C     0H     0M     0L                  │    0C     2H     1M    18L                   
+  
 ```
 
-As you can see, the original `node:24.9.0-trixie-slim` based image is 41 MB larger, has 248 more packages, and includes high, medium, and low CVEs. The `dhi-node:24.9.0-debian13` based image is 40% smaller and has near-zero CVEs. 
+As you can see, the `dhi-node:24.9.0-debian13`–based image is **41 MB (around 40%) smaller**, contains **248 fewer packages**, and has nearly **zero CVEs** compared to the original `node:24.9.0-trixie-slim`–based image.
 
 **Validate that the app works as expected**
 
diff --git a/app.js b/app.js
@@ -1,12 +1,17 @@
-const express = require('express');
+const http = require('http');
 
-const app = express();
 const port = 3000;
 
-app.get('/', (req, res) => {
-  res.send('Hello World!');
+const server = http.createServer((req, res) => {
+  if (req.url === '/' && req.method === 'GET') {
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('Hello World!');
+  } else {
+    res.writeHead(404);
+    res.end('Not Found');
+  }
 });
 
-app.listen(port, () => {
-  console.log(`Example app listening on port ${port}`);
+server.listen(port, () => {
+  console.log(`Server listening on port ${port}`);
 });
diff --git a/package.json b/package.json
@@ -1,35 +1,22 @@
 {
   "name": "@docker/scout-demo-service",
   "version": "0.1.0",
-  "description": "A boilerplate for Node.js web applications",
+  "description": "A simple Node.js service with Jest and Testcontainers",
   "repository": {
     "type": "git",
-    "url": "https://github.com/docker/scout-demo-servixe.git"
+    "url": "https://github.com/docker/scout-demo-service.git"
   },
-  "license": "Apache-2",
+  "license": "Apache-2.0",
   "scripts": {
     "start": "node app.js",
-    "test": "jest --testTimeout=60000",
-    "lint": "eslint \"**/*.js\""
-  },
-  "dependencies": {
-    "express": "4.17.1"
+    "test": "jest --testTimeout=60000"
   },
   "devDependencies": {
-    "axios": "^1.6.0",
-    "eslint": "^7.17.0",
-    "eslint-config-airbnb-base": "^14.2.1",
-    "eslint-plugin-chai-friendly": "^0.6.0",
-    "eslint-plugin-import": "^2.22.1",
     "jest": "^29.7.0",
     "testcontainers": "^10.13.2"
   },
-  "engines": {
-    "node": ">=10.23.1",
-    "npm": ">=6.14.10"
-  },
   "jest": {
     "testEnvironment": "node",
     "testTimeout": 60000
   }
-}
+}
diff --git a/test/app.test.js b/test/app.test.js
@@ -13,7 +13,7 @@ describe('App Integration Tests', () => {
 
     container = await builtContainer
       .withExposedPorts(3000)
-      .withWaitStrategy(Wait.forLogMessage(/Example app listening on port \d+/))
+      .withWaitStrategy(Wait.forLogMessage(/Server listening on port \d+/))
       .start();
 
     // Get the mapped port
